U.S. patent application number 11/740617 was filed with the patent office on 2008-10-30 for virtual machine control.
Invention is credited to Wael M. IBRAHIM.
Application Number | 20080271015 11/740617 |
Document ID | / |
Family ID | 39888586 |
Filed Date | 2008-10-30 |
United States Patent
Application |
20080271015 |
Kind Code |
A1 |
IBRAHIM; Wael M. |
October 30, 2008 |
VIRTUAL MACHINE CONTROL
Abstract
A method comprises receiving a request for data from a client
computer. The method further comprises obtaining an identifier of a
virtual machine. The virtual machine identifier is associated with
the requested data. The method further comprises providing the
virtual machine identifier to the client computer.
Inventors: |
IBRAHIM; Wael M.; (Cypress,
TX) |
Correspondence
Address: |
HEWLETT PACKARD COMPANY
P O BOX 272400, 3404 E. HARMONY ROAD, INTELLECTUAL PROPERTY ADMINISTRATION
FORT COLLINS
CO
80527-2400
US
|
Family ID: |
39888586 |
Appl. No.: |
11/740617 |
Filed: |
April 26, 2007 |
Current U.S.
Class: |
718/1 |
Current CPC
Class: |
G06F 2221/2111 20130101;
G06F 21/62 20130101; G06F 9/45537 20130101 |
Class at
Publication: |
718/1 |
International
Class: |
G06F 9/455 20060101
G06F009/455 |
Claims
1. A method, comprising: receiving a request for a data from a
client computer; obtaining an identifier of a virtual machine, said
virtual machine identifier associated with said data; and providing
said virtual machine identifier to the client computer.
2. The method of claim 1 further comprising the client computer
spawning a virtual machine in accordance with said virtual machine
identifier.
3. The method of claim 2 wherein spawning the virtual machine
comprises implementing a hardware and software configuration on the
client computer, said configuration being associated with the
virtual machine identifier.
4. The method of claim 1 further comprising verifying whether the
client computer spawned a virtual machine in accordance with said
virtual machine identifier.
5. The method of claim 1 further comprising computing a metric
associated with said virtual machine.
6. The method of claim 5 further comprising comparing said metric
to a predetermined metric to verify that the client computer
spawned a virtual machine in accordance with said virtual machine
identifier.
7. The method of claim 1 further comprising using location
information to determine whether a virtual machine associated with
said virtual machine identifier is to be spawned.
8. A system, comprising: logic; and network interface coupled to
said logic; wherein said logic submits a request for data across a
network via the network interface and receives a response to said
request, said response comprising an identifier of a virtual
machine, said virtual machine identifier associated with the
requested data; and wherein the logic spawns a virtual machine in
accordance with said virtual machine identifier.
9. The system of claim 8 wherein said logic determines whether to
spawn the virtual machine in accordance with said virtual machine
identifier based on whether the system is at a location at which
said virtual machine is permitted to be spawned.
10. The system of claim 9 wherein said logic monitors the system's
location and terminates said virtual machine if said system is no
longer at a location at which said virtual machine is permitted to
be spawned.
11. The system of claim 8 further comprising a location
determination device that provides a location of the system to said
logic, and said logic determines whether to spawn the virtual
machine based on said system's location.
12. The system of claim 8 further comprising storage specifying,
for at least one virtual machine, a location at which said at least
one virtual machine can be spawned.
13. The system of claim 8 wherein the logic provides information
across the network by which a remote device verifies that the
system spawned the virtual machine in accordance with said virtual
machine identifier.
14. The system of claim 13 wherein the logic does not spawn the
virtual machine until the system's network interface receives
confirmation from the remote device that the remove device has
successfully verified that the system spawned the virtual machine
in accordance with said virtual machine identifier.
15. A system, comprising: logic; and network interface coupled to
said logic; wherein said logic receives a request for data from a
network via the network interface and obtains an identifier of a
virtual machine, said virtual machine identifier associated with
said data; and wherein said logic provides said virtual machine
identifier across said network.
16. The system of claim 15 wherein said logic verifies whether a
remote device that received said virtual machine identifier spawned
a virtual machine associated with said virtual machine
identifier.
17. The system of claim 15 wherein said logic receives a metric
from a remote device that received said virtual machine identifier,
and said logic uses said metric to verify that the remote device
spawned a virtual machine associated with said virtual machine
identifier.
18. The system of claim 15 wherein said logic receives a location
of a remote device, that received said virtual machine identifier,
to determine whether the remote device is to spawn a virtual
machine associated with said virtual machine identifier.
19. The system of claim 15 further comprising storage containing
multiple data items, each data item tagged with a virtual machine
identifier.
20. The system of claim 19 wherein at least one data item is tagged
with a different virtual machine identifier than another data item.
Description
BACKGROUND
[0001] Mobile computing devices have become ubiquitous in today's
economy. Such devices, while practical and useful, also may expose
security issues. For example, if such a device were stolen, an
unauthorized entity could access sensitive data stored remotely
from the device but accessible via the device. In one scenario, an
unauthorized entity, in unlawful possession of a notebook computer,
could use the notebook computer to access sensitive data stored on
a remote server.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] For a detailed description of exemplary embodiments of the
invention, reference will now be made to the accompanying drawings
in which:
[0003] FIG. 1 shows a system in accordance with various
embodiments; and
[0004] FIG. 2 shows a method in accordance with various
embodiments.
NOTATION AND NOMENCLATURE
[0005] Certain terms are used throughout the following description
and claims to refer to particular system components. As one skilled
in the art will appreciate, computer companies may refer to a
component by different names. This document does not intend to
distinguish between components that differ in name but not
function. In the following discussion and in the claims, the terms
"including" and "comprising" are used in an open-ended fashion, and
thus should be interpreted to mean "including, but not limited to .
. . ." Also, the term "couple" or "couples" is intended to mean
either an indirect, direct, optical or wireless electrical
connection. Thus, if a first device couples to a second device,
that connection may be through a direct electrical connection,
through an indirect electrical connection via other devices and
connections, through an optical electrical connection, or through a
wireless electrical connection. The term "system" refers to a
combination of two or more components. A system may comprise, for
example, the combination of a server and a client communicatively
coupled thereto, or a server alone, a client alone, or a subsystem
within a computer.
DETAILED DESCRIPTION
[0006] FIG. 1 shows a server computer 10 communicatively coupled to
a client computer 30 via a network 28. In various embodiments,
network 28 comprises a local area network (LAN), a wide area
network (WAN), or other types of networks. Server computer 10
comprises a processor 12 coupled to storage 14 and a network
interface 20. At least the processor 12 comprises logic that, in
various embodiments, performs some or all of the functionality
described herein attributable to the server computer 10. Storage 14
comprises a computer-readable medium such as volatile memory (e.g.,
random access memory), non-volatile storage (e.g., hard disk drive,
Flash memory, compact disc read-only memory (CD ROM), etc.), and
combinations thereof. Storage 14 comprises one or more data items
16 accessible to, in light of various security mechanisms described
herein, client computer 30. Storage 14 may be integrated into
server computer 10, or may be provided separate from the server
computer.
[0007] Client computer 30 comprises a processor 32, one or more
hardware resources 34, one or more software resources 36, a
computer-readable medium (CRM) 38, a network interface 40, and
input device 42 and an output device 44. In various embodiments,
client computer 30 also comprises a location determination device
50. In various embodiments, location determination device 50
comprises a global positioning system (GPS) receiver or other
mechanism that permits the client computer 30 to determine its
physical location within a room, a building, a city, or any place
on earth (within the ability of the location determination
device).
[0008] The input device 42 comprises a mouse, a trackball, a
keyboard, or other type of data entry and/or pointing device. The
output device 44 comprises a display or other type of device by
which a user of the client computer 30 can view one or more of the
data items 16 stored on the server computer 10. Via interaction
with input device 42 and output device 44, a user of the client
computer 30 can request access to, and view, one or more data items
16 from the server computer 10.
[0009] Each of the server computer 10 and client computer 30
comprises a network interface (interfaces 20 and 40 as shown). Such
network interfaces 20 and 40 enable the server and client computers
10 and 30 to communicate with one another via network 28. In
various embodiments each network interface comprises a network
interface controller (NIC).
[0010] The hardware resources 34 in the client computer 30 comprise
various configurable resources such as memory, input/output (I/O),
ports, etc. Software resources 36 comprise such resources as one or
more various and possibly disparate operating systems (e.g.,
Windows, LINUX, etc.) as well as various applications, virus
signatures, basic input/output system (BIOS) versions, operating
system service packs, etc.
[0011] Computer readable medium 38 comprises code 45 executable by
processor 32. Code 45 is executable by processor 32. At least the
processor 32 executing code 45 comprises logic that enables the
client computer 30 to perform one or more of the actions described
herein attributable to the client computer 30.
[0012] In operation, a user of client computer 30 requests access
to one or more data item 16 and the server computer 10. In various
embodiments, server computer 10 forces the client computer 30 to
spawn a specific "virtual machine" before the server 10 provides
the requested data to the client computer 30. Client computer 30 is
capable of spawning any one or more of multiple virtual machines
available on the client computer 30. A virtual machine is an
operating environment working in conjunction with, yet independent
of, a host operating system. A virtual machine is thus a
self-contained operating environment that behaves as if it is a
separate computer.
[0013] Referring still to FIG. 1 and in accordance with various
embodiments, one or more of the server computer's data items 16 is
associated with a particular virtual machine identifier (VMI) 18. A
VMI 18 comprises a value that is associated with a particular
virtual machine that must be implemented (i.e., spawned) by a
client computer 30 in order for the client computer 30 to receive
and view the corresponding data. A VMI may comprise a sequential
number, an alphanumeric designation, or any other type of value
that uniquely identifies and distinguishes one virtual machine from
another. In some embodiments, all of the data items 16 on the sever
computer 10 are associated with the same virtual identifier, while
in other embodiments, one or more of the data items 16 are
associated with a different virtual machine identifier from one or
more other data items 16. Some data items 16 may be associated with
a VMI 18, while other data items 16 are not associated with a VMI
18.
[0014] In some embodiments, each time a data item 16 is created and
stored in server computer 10, a user of the server computer (e.g.,
an administrator) tags the newly stored data item 16 with a
particular virtual machine identifier. Such an administrator is
thereby able to specify which virtual machine must be spawned by
the client computer 30 in order for the client computer 30 to
receive and present the data to the user. In this manner, security
requirements of the underlying data items are mapped to desired
virtual machines that must be used to remotely access the data
items.
[0015] Upon receipt of a request for a particular data item 16 from
the client computer 30, the processor 12 of the server computer 10
obtains the virtual machine identifier associated with the
requested data item 16. The processor 12 then provides the virtual
machine identifier 18 via network interface 20 to the client
computer 30 via network 28. The virtual machine identifier 18 is
received by the client computer's processor 32 via the client
computer's network interface 40. The processor 32 of the client
computer 30 spawns the virtual machine associated with the server
computer-specified virtual machine identifier 18. Once the
processor 32 has spawned the specified virtual machine, the server
10 provides the requested data item 16 to the client computer 30
for presentation to the client computer's user. In various
embodiments, spawning a virtual machine comprises such actions as
allocating a specified amount of memory, loading a particular
operating system, enabling and disabling specified input/output
(I/O) ports, etc. Code 45 comprises a virtual machine monitor (VMM)
that spawns the appropriate virtual machines using hardware and
software resources 34 and 35. In some embodiments, more than one
virtual machine can be spawned at a time.
[0016] In accordance with various embodiments, the server computer
10 verifies that the client computer 30 has spawned the correct
virtual machine before providing the requested data item 16 to the
client computer 30. An example of such verification is through the
use of the Trusted Platform Module (TPM)-based mechanism such as
that described in U.S. Patent Publication No. 20050235141 entitled
"Subordinate Trusted Platform Module," incorporated herein by
reference. For example, the client computer 30 after spawning the
specified virtual machine, computes one or more metrics of the
resulting configuration of the client computer's newly spawned
virtual machine, and provides one or more such metrics to the
server 10 via network 28. The server 10 compares the received
metrics from the client computer 30 to a known legitimate copy of
such metrics. If the metrics match, the server determines that the
client computer 30 has spawned the correct virtual machine. If the
metrics do not match, the server 10, at least in some embodiments,
will not provide the requested data item 16 to the client computer
30.
[0017] Another security mechanism implemented in the system shown
in FIG. 1 is for the client computer 30 to spawn the
server-specified virtual machine only if the client computer 30 is
physically located at a location commensurate with location
information associated the specified virtual machine. In at least
some embodiments, location refers to geographic location such as
that defined by a longitude and latitude.
[0018] Computer readable medium 38 comprises a dataset 46 that
provides, for each of one or more virtual machine identifiers 47,
location information 48. Each location information 48 specifies, in
various embodiments, a range of locations at which the client
computer 30 must be physically present for the client computer 30
to spawn the virtual machine associated with the virtual machine
identifier 47. In other embodiments, the location information 48
defines one or more locations at which the client computer 30 must
not spawn the virtual machine associated with a corresponding
virtual machine identifier 47, and thus indirectly specifies the
allowable location for the virtual machine.
[0019] Based on the location information 48, the processor 32 of
the client computer 30 compares the client computer's current
location as provided, for example, by the location determination
device 50, to the location information 48 of CRM 38 to determine
whether the client computer 30 is presently located at a location
at which the client computer is permitted to spawn the
server-specified virtual machine. If the client computer 30 is
located at such a suitable location (as defined by the dataset 46),
the processor 32 spawns the specified virtual machine. On the other
hand, if the client computer 30 is not at a location that permits
the client computer to spawn the specified virtual machine, the
processor 32 precludes the requested virtual machine from being
spawned, and as a result, the client computer 30 is not permitted
to receive the requested data item 16 from the server computer
10.
[0020] FIG. 2 illustrates a method in accordance with various
embodiments of the invention. The actions listed in FIG. 2 can be
performed in a different order from that shown, and various actions
can be performed concurrently. At 102, the method comprises
receiving a request for a particular data item from the client
computer 30. At 104, the method further comprises obtaining an
identifier of a virtual machine associated with the requested data.
At 106, the method also comprises providing the virtual machine
identifier from the server 10 to the client 30 over network 28.
[0021] At 108, the client computer 30 determines whether its
location is such that the specified virtual machine can be spawned
on the client computer 30. If the client computer's location is not
suitable for spawning the specified virtual machine, then at 110,
the method precludes the client computer 30 from spawning the
specified virtual machine. Further, the client computer 30 may
report its inability to spawn the specified virtual machine to the
server 10. This alert may indicate that client computer 30 has been
stolen. As a result of receiving this alert from the client
computer 30, the server will not provide the requested data item 16
to the client computer 30. Additionally or alternatively, the
server computer 10 may enact one or more security mechanisms such
as alerting a network administrator that the client computer 30
requested a particular data item but failed to spawn the correct
virtual machine.
[0022] At 108, the client computer may determine that its present
location does fall within the range of locations that permits the
client computer 30 to spawn the server-specified virtual machine.
Accordingly, at 112, the method further comprises the client
computer 30 spawning the specified virtual machine. At 114, the
server computer 10 verifies that the client computer 30 spawned the
correct virtual machine in accordance with the virtual machine
identifier provided to the client computer 30 by the server
computer 10. At 116, the server computer 10 permits the client
computer 30 to access the data and thus provides such data to the
client computer 30 if the server computer 10 successfully verifies
that the client computer spawned the correct virtual machine.
[0023] In the embodiment shown in FIG. 1, the client computer 30
comprises a location determination device 50 by which the client
computer determines its present location. In other embodiments,
however, the mechanism by which the client computer's location is
determined is not part of the client computer, but is provided
apart from the client computer 30. For example, a location
attestation service (LAS) is implemented to determine whether the
client computer's location comports with a location-requirement
tagged to the data a user of the client computer wishes to view. An
example of such a location attestation service is described in
copending application entitled "Location Attestation Service,"
serial no. 11/709,473, incorporated herein by reference. Using such
an LAS, client computer 30 submits a request for the server
computer's data to the server computer 10. The server computer 10
request for proof of location from the client computer 30. The
client computer 30 searches for a location attestation service
interface device (LASID) (e.g., one LASID per location area). The
LASID contacts a management server, which may be server computer 10
or a different server, and grants a location certificate to the
client computer device 30. The client computer 30 then presents the
location certificate to the server computer 10, which thereby
verifies that the client computer's location permits the required
virtual machine to be spawned.
[0024] In accordance with another example, decision 108 in FIG. 2
is performed by the server computer 10 requesting the location of
the client computer 30 from the client computer 30. The client
computer 30 provides its location to the server 10. The server 10
compares the client computer's location to location information
that may also be tagged to each data item 16. Thus, in this
embodiment, each data item 16 comprises a virtual machine
identifier 18 that specifies the virtual machine that is to be
spawned by the client computer 30 as well as location information
which defines the locations at which the corresponding virtual
machine can be spawned by the client computer 30. If the server 10
determines that the client computer 30 is present at the correct
location, the server computer 10 asserts a signal back to the
client computer 30 authorizing the client computer 30 to spawn the
server-specified virtual machine. Otherwise, the server computer 10
precludes the client computer 30 from spawning the specified
virtual machine.
[0025] In accordance with various embodiments, the client computer
30 monitors its location and terminates a spawned virtual machine
if the client computer 30 is no longer at a location at the virtual
machine is permitted to be spawned. Termination of a virtual
machine destroys partitions of the virtual machine as well as any
associated secrets, keys, etc. Thus, if the client computer 30 is
mobile and is moved from one location to another while a virtual
machine is spawned, the client computer 30 will terminate the
virtual machine if the virtual machine is not permitted at the new
location. The client computer 30, or whatever device determines the
client computer's location and ensures that the location is
appropriate for the target virtual machine, continually or
periodically (e.g., once per minute, once every 5 minutes, etc.),
or through an event-driven mechanism such as the loss of a location
signal from a location determination device, monitors the location
and compliance with the location requirement of the server data
being accessed by the client computer 30.
[0026] The above discussion is meant to be illustrative of the
principles and various embodiments of the present invention.
Numerous variations and modifications will become apparent to those
skilled in the art once the above disclosure is fully appreciated.
It is intended that the following claims be interpreted to embrace
all such variations and modifications.
* * * * *